Operationalising PoPI Act – will you be ready?
With COVID-19 dominating the headlines, it’s no surprise that many of us may have missed last month’s proclamation bringing additional sections of the Protection of Personal Information (PoPI) Act into operation.
The sections of the Act that came into force on the 1st of July 2020 are sections 2 to 38; sections 55 to 109; section 111 and section 114(1), (2) and (3), while section 110 and 114(4) will come into play on the 30th of June 2021.
These are the essential sections of the Act that deal with, amongst others, the conditions for lawful processing of (and limitations on further processing) personal information; provisions regulating direct marketing; procedures for dealing with complaints; and general enforcement of the Act.
Whilst the Act was passed in 2013, its implementation has taken an incremental course, with various delays, meaning that many of us have taken a “head in the sand” approach and are now left with a lot to do in the one year’s grace period.
Parallels can be drawn with the European Union, where corporations had a two year period to become compliant with the similar Global Data Protection Regulation (GDPR). Many missed the initial deadline.
A top down approach to operationalise PoPI
Operationalising the PoPI Act is in many ways a data management challenge.
Organisations must identify where personal data resides in their organisation, who is responsible for it, and whether it is being used in accordance with conditions for lawful processing.
A key lesson that should be learnt from the GDPR experience is that a bottom up approach – starting at the data attribute level – is overwhelming.
If we assume that it takes 5 minutes to accurately classify a single attribute, it will take 4.5 years to classify 100000 attributes. This may sound like a long time, but large organisations may eventually need to classify and regulate the use of millions of personal data attributes. This approach cannot possibly be delivered in the 12-month grace period.
Best practices to operationalise the PoPI Act
A May 2018 GDPR survey pointed to several best practises that are relevant to operationalising the PoPI Act
- Cover all four pillars: People, Process, Technology, and Data
- Use a top down approach to ensure results can be sustained
-
- Both GDPR and the PoPI Act are principle based
- Both GDPR and the PoPI Act are about the responsible use of data
- People use data, through processes that are enabled by technology
- Involve everyone: It’s tempting when talking data management to assume this is an IT problem only. In practise, data privacy regulations need board-level sponsorship and coordination, and joint leadership from legal, IT, HR and other business stakeholders
A top-down approach, supported by technology, is essential to automate key processes and provide an audit trail of decisions made.
Getting started is easy:
- Identify stakeholders and clarify their roles and responsibilities.
- Inventory how data moves across and beyond your organisation.
- Assess what data and processes pose risk to the rights of the data subject.
- Put controls and safeguards in place to address those risks.
Given the timelines and available resources a triage approach may be necessary – ensuring complete compliance for high risk / high value processes and datasets by the deadline, and phasing in lower risk datasets, systems and processes over time. Legal advice should, of course, be taken with respect to this approach.
Master Data Management provides a methodology and a number of tools to reduce the complexity of achieving PoPI Act compliance, leveraging the lessons learned in Europe with GDPR. Contact us on +2711 485 4856 for more information.